search

tauri-apps / tauri

Build smaller, faster, and more secure desktop applications with a web frontend.
https://tauri.app
Apache License 2.0
82.02k stars 2.47k forks source link

[bug] assetScope is inconsistent between absolute and relative paths #5896

Open Elanis opened 1 year ago

Elanis commented 1 year ago

Describe the bug

(Report after discussion on Discord with @FabianLars and @lucasfernog)

When using relative paths with assets protocol in the current tauri version, you need to explicitly specify paths to have files whitelisted. Indeed, when using absolute path, you use glob patterns:

/home/myUser/myapp/* => Works for every file in this folder
/home/myUser/myapp/myimage.png => Works for this specific file

But when using a relative to binary path, glob doesn't work

mySubfolder/* => 403 for every file in this folder
mySubfolder/myimage.png => Works for this specific file

There are possible workaround e.g.:

Reproduction

  1. Create an empty app
  2. Enable asset protocol
  3. Specify CSP to allow asset URL
  4. Put the picture inside the subfolder (in debug CLI, this folder will be relative to src-tauri/, in release mode relative to .exe file)
  5. Add this picture to html body (using convertFileSrc to get asset.localhost or asset:// url)
  6. Reproduce both scope configuration to notice the bug

Expected behavior

No response

Platform and versions

Environment › OS: Windows 10.0.22621 X64 › Webview2: 108.0.1462.54 › MSVC:

Packages › @tauri-apps/cli [NPM]: 1.2.2 › @tauri-apps/api [NPM]: 1.2.0 › tauri [RUST]: 1.2.2, › tauri-build [RUST]: 1.2.1, › tao [RUST]: 0.15.8, › wry [RUST]: 0.23.4,

App › build-type: build › CSP: default-src 'self'; img-src 'self' asset: https://asset.localhost › distDir: ../dist › devPath: http://localhost:1420/ › framework: React › bundler: Vite

App directory structure ├─ .git ├─ .github ├─ dist ├─ node_modules ├─ public ├─ src └─ src-tauri

Stack trace

No response

Additional context

No response

lucasfernog commented 1 year ago

I'm trying to reproduce this with the API example. So I modify the configuration to allow "src/lib.rs" on the allowlist scope. Then I run fetch(window.__TAURI__.tauri.convertFileSrc('src/lib.rs')).then(console.log) and it gives me a 403 since we canonicalize the path before checking if it's allowed. So relative paths shouldn't work at all. Can you share a repo I can use to see what you've done?

Elanis commented 1 year ago

Here's a minimal example: https://github.com/Elanis/tauri-5896-example

If you replace assetScope "assets/img/achievements.png" by "assets/img/*" for example, it doesn't work anymore

lucasfernog commented 1 year ago

So I think this is only an issue on Windows, on macOS it always gets rejected. The fallback here might be the problem. I can check this after the holidays, I don't have Windows access right now.

Elanis commented 1 year ago

Thanks for the investigation ! Indeed, I didn't try on Linux or MacOS, might be Windows only.

lucasfernog commented 1 year ago

Specifying the relative path assets/img/achievements.png in the scope works because we canonicalize the path, and since it exists it will return the absolute form of it, which can be matched against the path given in the asset protocol. In this case, this is the scope:

Scope { allowed_patterns: ["\\\\?\\C:\\Users\\username\\projects\\tauri\\tauri\\tauri-5896-example\\src-tauri\\assets\\img\\achievements.png", "assets\\img\\achievements.png"], forbidden_patterns: [] }

When we change the scope to allow assets/img/*.png, the *.png file does not exist in that folder, so the scope is different:

Scope { allowed_patterns: ["\\\\?\\assets\\img\\*.png", "assets\\img\\*.png"], forbidden_patterns: [] }

We should either block relative paths from the scope (I believe this was a concern raised by @tweidinger but we didn't handle this case) or prepend the CWD path in the scope so instead of \\\\?\\assets\\img\\*.png it would be \\\\?\\C:\\Users\\username\\projects\\tauri\\tauri\\tauri-5896-example\\src-tauri\\assets\\img\\achievements.png.